Attacks - Juniper JUNOS OS 10.3 - SOFTWARE Manual

Complete Software Guide for Junos
Requirements
Overview and Topology
2850
®
OS for EX Series Ethernet Switches, Release 10.3
This example describes how to configure basic port security features—DHCP snooping,
DAI, MAC limiting, and MAC move limiting, as well as a trusted DHCP server and allowed
MAC addresses—on a switch. The DHCP server and its clients are all members of a single
VLAN on the switch.
Requirements on page 2850
Overview and Topology on page 2850
Configuration on page 2852
Verification on page 2853
This example uses the following hardware and software components:
One EX Series switch
Junos OS Release 9.0 or later for EX Series switches
A DHCP server to provide IP addresses to network devices on the switch
Before you configure DHCP snooping, DAI, and MAC limiting port security features, be
sure you have:
Connected the DHCP server to the switch.
Configured the VLAN employee-vlan
with Multiple VLANs for EX Series Switches" on page 1312.
Ethernet LANs are vulnerable to address spoofing and DoS attacks on network devices.
To protect the devices from such attacks, you can configure DHCP snooping to validate
DHCP server messages, DAI to protect against MAC spoofing, and MAC cache limiting
to constrain the number of MAC addresses the switch adds to its MAC address cache.
You can also configure MAC move limiting to help prevent MAC spoofing.
This example shows how to configure these security features on an EX3200-24P switch.
The switch is connected to a DHCP server.
The setup for this example includes the VLAN
for creating that VLAN is described in the topic "Example: Setting Up Bridging with Multiple
VLANs for EX Series Switches" on page 1312. That procedure is not repeated here. Figure
68 on page 2851 illustrates the topology for this example.
on the switch. See "Example: Setting Up Bridging
on the switch. The procedure
employee-vlan
Copyright © 2010, Juniper Networks, Inc.